1. Field of Invention
The present invention relates generally to managing communications on a computer network, and more particularly, to restricting communication between selected network devices.
2. Background of the Invention
Computer networks allow many network devices to communicate with each other and to share resources. In order to transmit a packet of data from one network device to another on a local area network (LAN), the sending device must have the local area address of the destination device, and in particular, must have a Layer 2 (L2) or media access control (MAC) address that uniquely specifies the individual hardware device that is to receive the packet. In an Ethernet LAN, each network device has a network interface card,which has a unique Ethernet address. In an FDDI LAN, each device likewise will have a unique MAC address.
Typically, all of the devices on a LAN are allowed to communicate with each other, and thus, there are provided various mechanisms by which devices learn the L2 addresses of other devices in order to transmit packets to them. In an Ethernet network, the Address Resolution Protocol (ARP) defined in RFC 826 is used to convert protocol addresses, such as IP addresses, to L2 addresses, such as Ethernet addresses. In this protocol, a first network device broadcasts a request that includes the IP address that it wants to transmit a packet to (the destination IP address), and its own IP and Ethernet addresses. Since the request is broadcast all devices on the network receive it. However, only the second network device that has the requested destination IP address responds by sending back its Ethernet address. The first network device can now transmit packets directly to the second network device.
This type of address discovery is acceptable on networks where it is desirable for all devices to communicate with each other. However, it may be desirable to provide a computer network in which devices are restricted from communicating with each other generally. For example, an Internet Server Provider (ISP) may wish to support computers from many different customers on the same network. In order to ensure the privacy and integrity of each customer""s data and applications, it is desirable to prevent the customers"" computers from communicating with each other, for example to prevent malicious tampering with data. This has been done conventionally by isolating each customer""s computers and devices to its own subnet. However, this approach is expensive and complex to manage because isolating a subnet from others requires special-purpose hardware (such as a bridge), special-purpose software (such as that in a router) or both. In some instances, the necessary isolation may be impossible, for example, where the ISP provides virtual servers (multiple different servers for different customers) on a single host computer.
Thus, in those instances where it is desirable to have multiple customers sharing a subnet, it is further desirable to prevent their respective devices from communicating with each other.
The present invention makes it possible to restrict communications between network devices on a common subnet. In particular, any network device can be restricted to communicating only with a predefined set of authorized or validated network devices.
In one aspect of the present invention, network devices are restricted from providing their network addresses to other than previously authorized devices. For example, a network device may not respond to ARP requests that seek to know its L2 address, unless the requesting device itself has a validated network address, which indicates that it is authorized to request L2 addresses of other devices. Because a network device is prohibited from revealing its L2 address to unauthorized devices, these unauthorized devices will not be able to send packets to the network device. In another aspect of the present invention, network devices are prevented from discovering the L2 network addresses of other devices, unless authorized to do so. Because an unauthorized device cannot discover the network addresses of other devices, it cannot communicate with them.
In one embodiment, a subnet of a computer network includes a number of network devices, such as computers, printers, routers, bridges, and so forth. Each device has a unique L2 address (e.g., an Ethernet address), and an assigned IP address. Only certain devices on the network are authorized to determine, via an address resolution protocol such as ARP, the L2 addresses of other network devices. These authorized devices are preferably routers that are attached to the subnet; however, other network devices may also be authorized, for example, a computer operated by a system administrator. A list of the IP addresses of these authorized devices is stored in each of the network devices, preferably in a privileged area, such as in the operating system kernel. The authorized IP address list is preferably loaded by each network device upon start up. The authorized IP address list may be updated periodically by a system administrator to reflect newly authorized devices, or to remove previously authorized devices.
According to the first aspect of the invention, when a first network device seeks to communicate with a second network device, the first network device broadcasts an ARP request, including its own IP and L2 addresses, and the IP address of the second network device. The second network device receives this request packet. However, instead of responding as described in ARP, it compares the IP address of the first network device to the list of authorized IP addresses. If the IP address of the first network device is not on the list, then the second network device does not reply to the request packet, but instead remains xe2x80x9csilent.xe2x80x9d
This prevents the first network device from discovering the L2 address of the second network device, and thereby directing any packets to it. If the IP address of the first network device is on the list of authorized IP addresses, then the second network device replies in the normal fashion with its L2 address.
In accordance with the ARP, the second network device maintains a translation table that maps L2 addresses to IP addresses and protocol types. Conventionally, whenever a network device receives an ARP request, is updates this translation table to include the L2 address and IP address of the requesting device. However in a preferred embodiment, the second network device does not automatically update the translation table, but rather only if the first network device is authorized to request L2 addresses. This feature is further desirable to prevent IP spoofing attacks on the second network device.
As a further enhancement according to the second aspect of the invention, before a first network device sends an ARP request, it compares it own IP address with the list of authorized IP addresses. If its own IP address is not on the list, then it does not send request packet. This feature further prevents the network device from discovering the network addresses of other devices.
These features of the present invention may be embodied in various forms. In one implementation, each network device includes a memory storing a TCP/IP protocol stack. The protocol stack is responsible for moving packets from one layer of the network to another. The protocol stack includes an ARP component that implements the ARP (called the address resolution module in RFC 862). In one embodiment, this ARP component is modified to compare the IP address of a requesting network device to a list of authorized IP addresses before replying with its own L2 address. If the IP address is not authorized, then the ARP component does not respond. Preferably, the ARP component also does not update its translation table if the IP address is not authorized. The ARP component may be further modified to test the IP address of the network device itself before transmitting an ARP request on behalf of the network device in which it is included.
Yet another embodiment of the present invention is a computer subnet administered by an ISP. Various computers are coupled to the subnet, each of which may be dedicated to one customer or to multiple customers (e.g., where multiple customers have their own private servers including distinct L2 addresses). The ARP of each computer/server is modified as just described to restrict responses to ARP requests to only those requests coming from authorized network devices. The ARP component may be further modified to prevent ARP requests from being generated on any other but authorized devices.